We need to manage multiple types of layer-7 traffic in a service mesh, not just HTTP and gRPC ● RPC：HTTP, gRPC, Thrift, Dubbo, Proprietary RPC Protocol … ● Messaging: Kafka, RabbitMQ … ● Cache: Redis Header Data Traffic Management for HTTP/gRPC - all good ● We get all the capabilities we mentioned on the previous slide Traffic Management for non-HTTP/gRPC - only layer-3 to layer-6 ● Routing based breeze can help Istio sail a little further - to manage any layer-7 protocols other than just HTTP and gRPC. You can think of Aeraki as the “Controller" to automate the creation of envoy configuration for layer-7

--post-data '' localhost:15000/healthcheck/ok;"] This preStop hook will sleep to let downstream gRPC connections terminate, drain the Envoy listeners and sleep to give enough time for draining remaining users, use a service definition to generate Sidecar ● Use protocol specific traffic sniffing (i.e. gRPC call discovery) to find out dependencies ● eBPF magic to get service calls? We use the first approach Istio features 44 Moving HTTP/2 load-balancing from client-side to Envoy Adopting Istio ● We use gRPC heavily in our microservices ● But Kubernetes is pretty bad at load-balancing it ● So we solved

3000+ deployments every week ● REST as well as gRPC services ● Services written in Golang, Java, Clojure, Ruby gRPC, Envoy, and ● GoPay has been using gRPC since 2016 ● GoPay had services running on VM

Overview ● User traffic infrastructure - TW region, all 3 zones ● REST APIs for client traffic ● gRPC for inter-service traffic ● Around 100+ microservices ● Majority of services written in Go #IstioCon Routing ● Service Discovery and Configuration using Consul ● HTTP/TCP traffic via HAProxy ● gRPC traffic via Envoy ● Internet egress using NAT gateway #IstioCon Motivation ● Reliability of all known use-cases and features say mTLS, Outlier detection etc,. ● Passthrough mode downgrades gRPC/http2 protocol to Http/1.1 ● Tune connection and TCP settings ● Handle signals gracefully (SIGINT

recompile and maintain a build of Envoy EXTERNAL AUTH RATE LIMITING ROUTER UPSTREAM CUSTOM gRPC TRANSCODER Build Custom Envoy Filter 6 | Copyright © 2020 Portable Secure Fast Any Language to recompile and maintain a build of Envoy EXTERNAL AUTH RATE LIMITING ROUTER UPSTREAM WASM gRPC TRANSCODER Why WebAssembly? 8 | Copyright © 2020 8 | Copyright © 2020 User Experience 9 | app=ratings Extension Config Discovery Service EXTERNAL AUTH RATE LIMITING ROUTER UPSTREAM WASM gRPC TRANSCODER ECDS 16 | Copyright © 2020 Build Store Deploy Debug meshctl wasm debug workloadSelector

：证书发现服务。 • Aggregated Discovery Service(ADS): 通过一个Aggregated Server提供所有xDS服务，以解 决各个不同xDS服务的顺序导致的数据一致性问题。 gRPC/REST: update config on the fly 6 Istio 流量管理 – 数据面 – Istio 中的 Envoy Sidecar 配置 Istio中的 Envoy Sidecar Header TCP Header Layer 7 Protocol Header Layer 7 Protocol Data Istio 支持的七层协议非常有限：HTTP 1.1、 HTTP2、 gRPC 其余协议只能在四层进行处理（Thrift、Redis 等其他七层协议的控制面支持非常有限） 11 Istio 协议扩展：控制面和数据面需要进行的改动 apiVersion: networking path，method headers HTTP 2 pseudo header: authority pseudo header: authority, path，method， headers gRPC HTTP 2 path Request-Headers(Delivered as HTTP2 headers) TARS ServantName ServantName, FuncName, Context

nvoy由于高性能和扩展能力前在数据面遥 遥领先。 • Iptables使Pod间出入应用的流量均由Envoy代理，对应用来说完全透明。支持主要常用网路协议 Http1/Http2/Tls/gRPC/Tcp等。 Copyright © Huawei Technologies Co., Ltd. All rights reserved. Page 6 Envoy原理及总体架构-启动 istiod 滤 L 7 H T T P 过 滤 路 由 处 理 上 游 连 接 池 • 分为Envoy主线程及worker线程： • 主线程： • 负责初始化Envoy并读取解析配置文件 • 启动gRPC监听器，并启动xDS变化监听 • 启动日志写入线程，每个目标日志文件有独立线程负责输出 • 启动concurrency数目的工作线程 • 启动看门狗线程监控各个工作线程是否定期touch，否则SIGABRT杀掉线程 envoyproxy.io/docs/envoy/latest/ 名称 简介 Envoy 基于C++11,14的高性能服务网格数据面代理 xDS Envoy与上层控制面如istiod使用的基于gRPC的应用层协议，用于传输配置变更。 自动注入及流量拦截 POD创建时，由istiod进行自动修改deployment并将istio-init, istio-proxy容器注入到 新创建POD内；当

Bypass adpator Adaptor In process Bypass adaptor SkyWalking backend Tracing Metric Receiver in gRPC/HTTP Analysis Core Query CoreIstio telemetry Attribute Vocabulary https://istio.io/docs/refere • Endpoint. It is a path in the certain service for incoming requests, such as HTTP URI path or gRPC service class + method signature. Core ConceptsIstio telemetry formatSkyWalking native telemetry

Committee Jeyappragash (JJ) Co-founder Chair CNCF SIG Security Varun Talwar Co-founder Co-creator gRPC, Istio Lizan Zhou Senior Maintainer, Envoy Community & Industry Leaders ● Founded CNCF SIG Security annual zero trust multi-cloud conference Best in Class Team ● Creators of the service mesh Istio, gRPC, Apache SkyWalking, Zipkin from Google, Twitter, & VMWare ● Top contributors to Envoy and Istio

u建立缓存配置 u触发配置生效方式v1版本和v2版本之间的区别 V1 HTTP1 REST JSON/YAML 弱类型 轮询 SDS/CDS/RDS/LDS 奠定控制平面基础 V2 HTTP2 GRPC Proto3 强类型 Push SDS/CDS/RDS/LDS/HDS/ADS/KDS 和Google强强联手 官方博客：The universal data plane API缓存Istio和k8s配置 io/client-go建立缓存 ü缓存Istio：route-rule，virtual-service，gateway等 ü缓存k8s：node，Service，Endpoints等触发配置生效方式 V2通过GRPC双向流，主动推送配置给envoy： ü事件触发 • 当配置有增/删/改事件 ü定时触发 • 可配置环境变量 V2_REFRESH，定时推送配置Mixer——遥测报告 u上报的原始数据 u异步Flush给Adapter